In recent years, medical devices, such as electronic health records (EHR) systems and advanced bed and fall monitors, have played a key role in health care settings, with the average hospital room containing nearly 15-20 connected devices. Though some of these devices run on onsite operating systems, others contain external vulnerabilities that put hospitals at a greater risk for data breaches. While connectedness may seem like an improvement, these medical devices can also create a hostile environment for health care institutions, posing major threats to cybersecurity.
Since most medical devices are linked to internal hospital networks, Wi-Fi and the internet, device security is of critical importance to health care providers. One breach could instantly impair the quality of care; for example, devices like real-time location systems (RTLS) that allow clinicians to find available equipment for treatments could be penetrated, resulting in organizational chaos. Many hospitals are already in the crosshairs of hackers, with 80 percent of organizations facing cyberattacks during the last two years, and 77 percent of providers feeling concerned about unsecured medical devices.
While the interconnectedness of medical devices isnâ€™t new, health care institutions have only recently started to research and implement controls that safeguard data. The Food and Drug Administration (FDA) issued guidelines for connected medical devices security in 2016, but many providers still struggle to proactively invest in initiatives that reduce the risks these devices pose. Earlier this year, the FDA also issued a medical device security action plan to address key issues with data protection. The FDA and health care institutions must coordinate an approach to sustain further innovation and increased safety in the future.
Fortunately, your health care organization can follow three steps to safeguard your connected devices against cyberattacks and better protect patient security.
1. Gain an Understanding of All Connected Devices
The first step in mitigating your risk is to gain an in-depth understanding of the connected devices within your network. Generating an inventory that covers your assets, such as information systems, servers and other wired or wireless devices, will allow you to recognize the connections among devices. This will allow you to more readily identify and monitor vulnerabilities when inevitable changes, like software updates, are required. The more detailed the inventory, the better your network will function in real-time.
2. Develop a Risk Assessment and Remediation Strategy
Assessing the risk posed by each device based on the likelihood of a threat or any known vulnerabilities will help you prioritize. Once you are aware of each deviceâ€™s risk profile, you can create a holistic risk assessment that addresses every area of the security funnel. Ideally, the assessment will encompass:
- A high-level approach to institutional data security
- A more detailed, individualized summary for single devices
- A comprehensive analysis of possible risk factors
- Viable mitigation strategies
After completing the assessment, you can develop an actionable plan for remediation. At this stage, it is essential to take into account the established controls and capabilities for recovery. Beginning with the most critical items, providers can rank the priorities of remediation based on the institutionâ€™s available resources.
3. Create a Culture of Security
Device security isnâ€™t only an issue for information technology teams. Many professional teams in health care institutions share data, so itâ€™s important to integrate security measures into the operational workflows of your staff. Installing a data dashboard for staff members that delivers breach alerts and other relevant cyberattack information will create a security-aware culture. It may be worthwhile to also consider the introduction of training programs to ensure that staff members keep security top-of-mind and can identify threats.
By taking firm action against the risks posed by connected medical devices, health care institutions can continue to adopt innovative measures to streamline care while protecting the safety of patients.
For questions on how to safeguard your medical devices, please contact Jennifer Moreno in our CyberHealth Department at 505.998.3239.